Virtual private networks (VPN) offer the promise of lower network costs and reduced resource demand. However, they still must overcome significant problems, particularly security.
VPN security requires four things: protection of trusted LANs, secure communications between LANs, integrity of data, and protection (including auditing) against internal and external attacks. Security services come in various forms, ranging from filtering access attempts to data encryption to authentication of remote sites.
Users typically rely on simple firewalls and authentication systems for security. Unfortunately, while these approaches may help fend off a frontal attack on a server, they do not address other requirements, such as data confidentiality and integrity. This shortcoming can be due to idiosyncratic government import/export restrictions as much as technical limitations.
Meanwhile, Internet-happy executives blithely punch holes through firewalls to support half-thought-out VPN projects, leaving IT managers scrambling to re-establish access control, maintain confidentiality and assure the integrity of data transmitted over global networks. Luckily, a variety of products can help.
One noteworthy VPN security product is Bull's SecurWare. SecurWare gives you the flexibility to implement exactly the level and type of security you need with minimal network impact. Dedicated encryption hardware, operating at full LAN speeds, is used to ensure data confidentiality, sparing your network from the performance hit delivered by the more typical hardware/software encryption approach. In addition, data is compressed prior to encryption, thus avoiding the processing loads of router-based compression.
SecurWare uses smart card technology that allows personnel at remote sites to download security management information automatically without requiring special security training or certification. The product's standards-based approach allows interconnection with a wide range of backbone network providers.
Internet service provider UUNET's VPN security offering, ExtraLink, combines hardware security devices with software to provide services that include point-to-point encryption, which maintains data integrity and confidentiality.
ExtraLink uses Cisco Systems' network-layer encryption process but can also restrict services to specific LANs, permitting communication with limited parts of your VPN. This feature can be used to manage network access for business partners and customers on external LANs.
Another VPN security product, Cisco's CiscoSecure, performs data encryption, restricted access, user tracking and real-time intrusion audits. CiscoSecure servers assure that only authorised and authenticated users can access the VPN, and verify that each user has the right to use the requested service. Audit and accounting data is archived to track access attempts.
The increasing cost and complexity of networks will make VPNs increasingly attractive, even as shortages of qualified staff cause many large companies to consider outsourcing IT and network services. Any network-based business environment requires robust security.
The best VPN security products will use strong cryptography to provide data confidentiality, integrity and authentication, without requiring an IT manager to modify the VPN topology, IP addressing plan or existing applications.
Thus far, the Bull and UUNET architectures hold the most promise to meet these requirements with maximum flexibility.
Richard Ptak is vice president of systems management research for D.H. Brown Associates, an industry research and consulting firm in Port Chester, New York. He can be reached at firstname.lastname@example.org.